Thursday, 26 May 2011

Seems the bad guys don't believe we actually check sites/files we're coming across anymore, only that we look for a specific filename. I've been monitoring a couple sites leading to trojans, and having the domains shut down. Over the past few days (approx the 20th), they've disabled the specific filename the malicious code points to, possibly believing we'll say "okay, it doesn't exist anymore, stop checking it".

Up until yesterday, the filename the code always pointed to was FlashPlayer.45187.exe, and indeed, as of 2 mins ago, it still does - but loading the URL with that filename, results in a 404.

If we change the numeric, it magically works again. For example (note, DirectI have now suspended this domain (and almost beat the record, responding to and actioning the report in ~6 mins!));

Tuesday, 24 May 2011

My other half, though in her 20's, is also part of the "share it all" and "it'll never happen to me" generation, despite being as paranoid and insecure as heck about everything (though generally only paranoid about what her friends think, what I think etc, rather than things that actually matter). Drives me up the wall, especially given she should be mature enough to know better.

Kids are already being brought up to "share it all" and "it'll never happen to me", and have been since I was a child. However, with the introduction of the "internet to the world", and more and more reliance on technology for everything from education to the simple act of talking to friends, and a major lack of education and monitoring by the parents (who alas are even worse than the kids they're meant to be looking after, and raising to be responsible), things are only going to get worse - especially if companies such as Facebook and Google et al, have their way.

Anyway, enough of my rambling.

If you look at the terms of service for many websites you’ll find they claim users under 13 are not allowed. This is required to protect themselves against COPPA (Child Online Privacy Protection Act). Even the search engine Ask.com notes “you may not register for the Community feature or create a user profile if you are under 13.” At the same time they market various products towards kids including Zwinky and Smiley Central using an invasive toolbar.

Facebook CEO Mark Zuckerberg is now recommending removing the under-13 restrictions. Mark’s main reason is education. I have no doubt the first lesson kids will learn is how easy it is to give away your personal information and get scammed. Then again, they might think it’s normal for Facebook to post messages to all their friends without their approval.

I haven’t talked to many people who think Facebook should be open to children under 13. That includes all the parents who already allow their pre-teens to have a Facebook account. Their response is always be how they supervise what their kids are doing online so it’s ok. If you think it’s ok for kids under 13 to create a Facebook profile or your pre-teen already has an account click comments below and share your opinion.

Oh dear, this isn't going to end well (especially given they were involved in the Phorm debacle too);

BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course.

BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the service, or when the safety of the customer is in doubt – the latter being the motivation behind the only instance where we know the capability has been used.

That happened last week, when some BT Broadband customers received letters about the kit they had plugged into their networks.

Sunday, 22 May 2011

As if you needed telling, but sadly to state the obvious, the scammers traced back to India are still very much involved in defrauding insuspecting victims, and are now apparently going one step further by infecting their machines to boot.

In previous iterations of this scam the person on the phone would get you to click through to the event viewer to "find something red". Strangely enough there is usually something red in most people's event log log. However, do not despair if you don't have anything red, yellow is just as bad. Once the problem (well any problem) was identified your support would have expired and they redirect you to a web site where you can part with your money and download some version of malware.

The new iteration of the scam goes one step further. Rather than get the victim to look, they get you to install teamviewer (although no doubt other similar tools are likely used). They take control of your machine and start moving the files across. Manually infecting, sorry fixing, your machine. In this particular instance they noticed they were in a VM and promptly started removing the files they had moved, before the link was dropped and the phone call terminated.

The scam is obviously still working. It seems they have figured out that users can't be trusted to click a link, but installing remote control software and getting you to install the malware for them is ok.

My friend and co-admin at MalwareDomainList just alerted me to a site impersonating VirusTotal, for the purposes (surprise surprise) of infecting unwitting victims with both a fake AV and a trojan.

I've sent an e-mail to my friend Ross at Dot.tk, to have the .tk domain taken out, and will be getting in touch with the host and registrar, for the site it's pointing to, but in the meantime, you can read the details on this over at the MDL forums;

Thursday, 12 May 2011

Oh I do love good news in the morning. Zango/Pinball need no introduction, everyone is aware of their ongoing shenanigans over the years, and it looks like they're down for the count for now. Or at least, business filings say they are (well all know Zango tried the same hide and seek method, and left a trail that led to the switch to Pinball Corp being discovered relatively quickly).

I've said it before, and I'll say it again, Zango/Pinball, whatever they want to call themselves, will be back in one guise or another. There's simply too much money in it for them not to.

For now however, grab yourself a fresh coffee, pull up a pew, and have a little smile!

Pinball Corporation is a company that bought the remnants of Zango, a company that had a reputation for pushing slimeware. Last year I pointed out a case where Pinball Corp were clearly not keeping an eye on the actions of their affiliates, and other people have been critical of them too.

Well, there's potentially some good news.. because according to the Washington State Corporations Division, Pinball Corp became inactive on the 2nd May 2011.

Thursday, 5 May 2011

Ever wonder why some hosting companies try and send you on a "we're waiting, it's resolved, really we're just the innocent victims here, please be patient" game, that results in your getting frustrated and the criminals staying online even longer?

Well, the answer is companies (and I use the term companies loosely in this case) such as Don Servers, which is actually the same "company" as CompLife Ltd (AS43134) who are the same entity as HOSTSERV (AS42741). HOSTSERV for those that don't know, are also known as "ALEXANDRU-NET-TM-AS S.C. ALEXANDRU NET TM S.R.L."

We've known for quite some time that CompLife Ltd are 100% criminal, but thanks to their being rather brazen (and very stupid I might add), they've allowed a simple e-mail address to tie the two of them together;

godaccs@gmail.com

This chap is a regular visitor of the equally criminal forum, GoFuckBiz (Ref: DonServers profile), using the username "Support_DonServers" and DonChicho (fans of "The Godfather" I'm guessing). DonServers incase you're wondering, are using both don.sh and donservers.ru. Both are hosted at 208.76.54.75, AS47869 Netrouting Inc. (awww, their own hosting too expensive?)

You'll also have noticed (Ref: Fake AVs back to using Instra), this is the e-mail address assigned to the WhoIs records, for HOSTSERV (who incidentally, own the IP range CompLife/DonServers happen to be using (I know, I know, no surprise there)).

So HostSERV = CompLife Ltd = DonServers, and collectively = AS42741 and AS43134 (wonder how many others they have???).

So what do this chaps customers get? Well, according to one of his "private" websites, a choice of server depending on the type of content that's going to be there, as shown by this lovely little screenshot (just in case the site goes AWOL)